Compliance incentives, risk assessment and moral hazard

As recounted by Joe Murphy, under Department of Justice (DOJ) policy “[i]ncentives need to be part of your compliance program…” But this is not just because the government says so. Equally important, a compliance and ethics program needs to address incentives if it truly is intended to be effective. Ignoring incentives is a sign that a company is in reality indifferent to compliance  .

One important tool for examining your company’s system of incentives and rewards is to draw in select ways from the field of “moral hazard.”

What is moral hazard?

Moral hazard exists where there is a misalignment of incentives between those with a capacity to create risks and those likely to bear the costs of such risks.  Moral hazard was initially applied in the insurance business but has been applied in other settings as well. Where this misalignment exists the company is effectively encouraging crime and misconduct through its incentive system.  Compliance and ethics needs to be in position to raise these concerns to ensure the moral hazard risk is effectively addressed.  These risks can be dealt with by changing or reducing the incentives and/or by an appropriately robust system of controls.

Importantly for our purposes, moral hazard has also played a significant role in the prosecution of corporate crime in the US (although this has not always been done using moral hazard terminology).  That is, the law (most notably the above-referenced DOJ policy) provides for large fines (and other punishment) for organizations convicted of federal offenses, but also recognizes that those who bear the brunt of such punishment (mostly the shareholders) are often different from the individuals who benefit from the wrongdoing in question (usually the executives or other high-ranking personnel).  There is thus a push from DOJ to target penalties toward those actually in position to benefit from the wrongdoing – the responsible executives.

There are many possible ramifications to moral hazard for C&E programs.

Risk assessment – process

How does a company assess moral hazard risk?

In some instances utilizing a standalone risk assessment framework may be useful to identifying and addressing moral hazard – instances where rewards accrue to those who would avoid the risks.  In other settings moral hazard can be part of the general risk assessment.

The latter makes sense mostly in cases where moral hazard risks are likely to be high or complicated.

Risk assessment – substance

Risk assessment should, of course, include financial incentives (e.g., salary, bonus, performance evaluations, etc.).  This aspect of moral hazard is fairly common.

Non-financial risks – incentives

The risk assessment should also include non-financial moral hazard risks.  Among other things this should include reputational benefits and detriments.

Assessing non-financial moral hazard risks is obviously challenging. But it can be keenly important, at least at some companies.

Training

Key gatekeeper personnel should be trained on identifying and addressing moral hazard risks. Included here are HR, finance, risk and various members of management.  In some instances board members should be included. They should know how to recognize which incentive systems would likely lead participants to engage in misconduct while avoiding the risks of punishment and the costs generated by their misconduct.

This can be done as part of broader C&E or HR training. It need not be standalone.

Ethics beyond compliance

One of the dividends of dealing with moral hazard in a C&E program is that it can be an example of companies going beyond a pure compliance regime to one which has a significant ethics component, meaning a regime where right/wrong determinations are not limited to law-based determinations.

Auditing, checking, etc.

Audit, HR and C&E staff should develop audit/checking procedures for assessing compliance in this area. For example, where incentives and risks are misaligned, they can advocate for appropriately strong controls to reduce the risks.

Also, at least for some organizations moral hazard should be included in questions in culture surveys.

Long term, to the extent possible, personnel evaluations should consider moral hazard risk. But for some companies this might be a bridge too far, at least in the short term.

Indeed, generally I am not saying that all organizations need to engage in a full-fledged version of each of these steps. That would indeed be overkill for many.

But in my view all organizations should at least consider the impact of their incentives and rewards generally and what their moral hazard needs are and should respond appropriately.